Hi @tyoungbauer -

That is the only veeam semi-official post I’m aware of. I created a post on here on setting up a hardened Repo, but I didn’t fully implement DISA configs, etc. 
 

In the above post, I share a place I got quite a bit of initial info in (a Veeam Vanguard’s post), as well as from the User Guide:

https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_limitations.html?ver=120

For my disks, I, like you, used 2 disks for OS (RAID1), then a RAID6 for my remaining disks (6 disk totalling about 84TB). I didn’t worry about LVM...no need imo. I did let the install create everything, but as just mentioned, didn’t enable anything with LVM.

The author of the article is @HannesK . Maybe he can shed more light beyond what I’ve provided.

Thanks for the response.  Am I over engineering with that or should I go without it?  Then I can deploy the OS on one volume and then the repo on the other.

Thanks

That’s what I did. How hardened you want it is really up to you. I personally didn’t go that route. I for sure obviously want my data protected and my server somewhat hardened (i.e. the immutability and disabling SSH pretty much does that trick for me), but I don’t need all those DISA rules implemented. Again...that’s just me.

For protecting access to the server, you could enable that only a certain IP or 2 (i.e. your device and a secondary person) can get to it which would further harden it and prevent access from some odd entity. I think those rules are more for highly regulated biz’s like healthcare, finance, gov’t, etc. And, of course those who just want to severely harden their servers 

Raid 6, Ubuntu, 250TB vols with reflink 4096, no LVM & placed in a SOBR config is my typical /w throw away creds. 

@tyoungbauer Shane already posted a very nice article about it and mentioned also the series from Paolo (Nolabnoparty.com - virtualization and beyond) and the blogpost from Hannes. I would go with these. This collection were also my base, when i started with several VHR deployments - currently i would say we have about 30 systems of them deployed, without any hiccups.

All of them running on Ubuntu, some with additional hardening, also take a look on Securing Veeam Hardened Repository against remote time attacks.

But what i wanted to mention: as of today a Community preview of the new Veeam Hardened Repository ISO was made public available → nPREVIEW] Managed Hardened Repository ISO by Veeam - R&D Forums.

For sure, it’s currently not for productive environments, but this can be the way to go in a near future  Very simple deployment, the smallest disk will be used for the OS, the biggest for the Data Disk/Repository, Reflink already set, integrated DISA/STIGs, updates direct from Veeam, and so many more...

Thanks all…

I did find this link and assume it is somewhere in a thread but thought I would post it again.  It is very good and thorough..  Also has a github with them as PDF files.

https://www.experts-exchange.com/articles/36811/Part-1-Build-an-immutable-backup-repository-for-Veeam-Backup-Replication.html

TY